<!DOCTYPE html>
<html lang="en">
<head>
	<meta charset="UTF-8">
	<meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1">
	<title>Built-in roles | ElasticSearch 7.7 权威指南中文版</title>
	<meta name="keywords" content="ElasticSearch 权威指南中文版, elasticsearch 7, es7, 实时数据分析，实时数据检索" />
    <meta name="description" content="ElasticSearch 权威指南中文版, elasticsearch 7, es7, 实时数据分析，实时数据检索" />
    <!-- Give IE8 a fighting chance -->
    <!--[if lt IE 9]>
    <script src="https://oss.maxcdn.com/html5shiv/3.7.2/html5shiv.min.js"></script>
    <script src="https://oss.maxcdn.com/respond/1.4.2/respond.min.js"></script>
    <![endif]-->
	<link rel="stylesheet" type="text/css" href="../static/styles.css" />
	<script>
	var _link = 'built-in-roles.html';
    </script>
</head>
<body>
<div class="main-container">
    <section id="content">
        <div class="content-wrapper">
            <section id="guide" lang="zh_cn">
                <div class="container">
                    <div class="row">
                        <div class="col-xs-12 col-sm-8 col-md-8 guide-section">
                            <div style="color:gray; word-break: break-all; font-size:12px;">原英文版地址: <a href="https://www.elastic.co/guide/en/elasticsearch/reference/7.7/built-in-roles.html" rel="nofollow" target="_blank">https://www.elastic.co/guide/en/elasticsearch/reference/7.7/built-in-roles.html</a>, 原文档版权归 www.elastic.co 所有<br/>本地英文版地址: <a href="../en/built-in-roles.html" rel="nofollow" target="_blank">../en/built-in-roles.html</a></div>
                        <!-- start body -->
                  <div class="page_header">
<strong>重要</strong>: 此版本不会发布额外的bug修复或文档更新。最新信息请参考 <a href="https://www.elastic.co/guide/en/elasticsearch/reference/current/index.html" rel="nofollow">当前版本文档</a>。
</div>
<div id="content">
<div class="breadcrumbs">
<span class="breadcrumb-link"><a href="index.html">Elasticsearch Guide [7.7]</a></span>
»
<span class="breadcrumb-link"><a href="secure-cluster.html">Secure a cluster</a></span>
»
<span class="breadcrumb-link"><a href="authorization.html">User authorization</a></span>
»
<span class="breadcrumb-node">Built-in roles</span>
</div>
<div class="navheader">
<span class="prev">
<a href="authorization.html">« User authorization</a>
</span>
<span class="next">
<a href="defining-roles.html">Defining roles »</a>
</span>
</div>
<div class="section xpack">
<div class="titlepage"><div><div>
<h2 class="title">
<a id="built-in-roles"></a>Built-in roles<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/x-pack/docs/en/security/authorization/built-in-roles.asciidoc">edit</a><a class="xpack_tag" href="https://www.elastic.co/subscriptions"></a>
</h2>
</div></div></div>
<p>The Elastic Stack security features apply a default role to all users, including
<a class="xref" href="anonymous-access.html" title="Enabling anonymous access">anonymous users</a>. The default role enables users to access
the authenticate endpoint, change their own passwords, and get information about
themselves.</p>
<p>There is also a set of built-in roles you can explicitly assign to users. These
roles have a fixed set of privileges and cannot be updated.</p>
<div class="variablelist">
<dl class="variablelist">
<dt>
<span class="term">
<a id="built-in-roles-apm-system"></a> <code class="literal">apm_system</code>
</span>
</dt>
<dd>
Grants access necessary for the APM system user to send system-level data
(such as monitoring) to Elasticsearch.
</dd>
<dt>
<span class="term">
<a id="built-in-roles-apm-user"></a> <code class="literal">apm_user</code>
</span>
</dt>
<dd>
Grants the privileges required for APM users (such as <code class="literal">read</code> and
<code class="literal">view_index_metadata</code> privileges on the <code class="literal">apm-*</code> and <code class="literal">.ml-anomalies*</code> indices).
</dd>
<dt>
<span class="term">
<a id="built-in-roles-beats-admin"></a> <code class="literal">beats_admin</code>
</span>
</dt>
<dd>
Grants access to the <code class="literal">.management-beats</code> index, which contains configuration
information for the Beats.
</dd>
<dt>
<span class="term">
<a id="built-in-roles-beats-system"></a> <code class="literal">beats_system</code>
</span>
</dt>
<dd>
<p>
Grants access necessary for the Beats system user to send system-level data
(such as monitoring) to Elasticsearch.
</p>
<div class="note admon">
<div class="icon"></div>
<div class="admon_content">
<div class="ulist itemizedlist">
<ul class="itemizedlist">
<li class="listitem">
This role should not be assigned to users as the granted permissions may
change between releases.
</li>
<li class="listitem">
This role does not provide access to the beats indices and is not
suitable for writing beats output to Elasticsearch.
</li>
</ul>
</div>
</div>
</div>
</dd>
<dt>
<span class="term">
<a id="built-in-roles-data-frame-transforms-admin"></a> <code class="literal">data_frame_transforms_admin</code>
</span>
</dt>
<dd>
Grants <code class="literal">manage_data_frame_transforms</code> cluster privileges, which enable you to
manage transforms. This role also includes all
<a href="https://www.elastic.co/guide/en/kibana/7.7/kibana-privileges.html" class="ulink" target="_top">Kibana privileges</a> for the machine learning features.
<span class="Admonishment Admonishment--change">
[<span class="Admonishment-version u-mono u-strikethrough">7.5.0</span>]
<span class="Admonishment-detail">
Deprecated in 7.5.0. Replaced by <a class="xref" href="built-in-roles.html#built-in-roles-transform-admin"><code class="literal">transform_admin</code></a>
</span>
</span>.
</dd>
<dt>
<span class="term">
<a id="built-in-roles-data-frame-transforms-user"></a> <code class="literal">data_frame_transforms_user</code>
</span>
</dt>
<dd>
Grants <code class="literal">monitor_data_frame_transforms</code> cluster privileges, which enable you to
use transforms. This role also includes all
<a href="https://www.elastic.co/guide/en/kibana/7.7/kibana-privileges.html" class="ulink" target="_top">Kibana privileges</a> for the machine learning features.
<span class="Admonishment Admonishment--change">
[<span class="Admonishment-version u-mono u-strikethrough">7.5.0</span>]
<span class="Admonishment-detail">
Deprecated in 7.5.0. Replaced by <a class="xref" href="built-in-roles.html#built-in-roles-transform-user"><code class="literal">transform_user</code></a>
</span>
</span>.
</dd>
<dt>
<span class="term">
<a id="built-in-roles-enrich-user"></a> <code class="literal">enrich_user</code>
</span>
</dt>
<dd>
Grants access to manage <span class="strong strong"><strong>all</strong></span> enrich indices (<code class="literal">.enrich-*</code>) and <span class="strong strong"><strong>all</strong></span> operations on
ingest node pipelines.
</dd>
<dt>
<span class="term">
<a id="built-in-roles-ingest-user"></a> <code class="literal">ingest_admin</code>
</span>
</dt>
<dd>
<p>
Grants access to manage <span class="strong strong"><strong>all</strong></span> index templates and <span class="strong strong"><strong>all</strong></span> ingest pipeline configurations.
</p>
<div class="note admon">
<div class="icon"></div>
<div class="admon_content">
<p>This role does <span class="strong strong"><strong>not</strong></span> provide the ability to create indices; those privileges
must be defined in a separate role.</p>
</div>
</div>
</dd>
<dt>
<span class="term">
<a id="built-in-roles-kibana-dashboard"></a> <code class="literal">kibana_dashboard_only_user</code>
</span>
</dt>
<dd>
(This role is deprecated, please use
<a href="https://www.elastic.co/guide/en/kibana/7.7/kibana-privileges.html#kibana-feature-privileges" class="ulink" target="_top">Kibana feature privileges</a>
instead).
Grants read-only access to the Kibana Dashboard in every
<a href="https://www.elastic.co/guide/en/kibana/7.7/xpack-spaces.html" class="ulink" target="_top">space in Kibana</a>.
This role does not have access to editing tools in Kibana.
</dd>
<dt>
<span class="term">
<a id="built-in-roles-kibana-system"></a> <code class="literal">kibana_system</code>
</span>
</dt>
<dd>
<p>
Grants access necessary for the Kibana system user to read from and write to the
Kibana indices, manage index templates and tokens, and check the availability of
the Elasticsearch cluster. This role grants read access to the <code class="literal">.monitoring-*</code> indices
and read and write access to the <code class="literal">.reporting-*</code> indices. For more information,
see <a href="https://www.elastic.co/guide/en/kibana/7.7/using-kibana-with-security.html" class="ulink" target="_top">Configuring Security in Kibana</a>.
</p>
<div class="note admon">
<div class="icon"></div>
<div class="admon_content">
<p>This role should not be assigned to users as the granted permissions may
change between releases.</p>
</div>
</div>
</dd>
<dt>
<span class="term">
<a id="built-in-roles-kibana-admin"></a> <code class="literal">kibana_admin</code>
</span>
</dt>
<dd>
Grants access to all features in Kibana. For more information on Kibana authorization,
see <a href="https://www.elastic.co/guide/en/kibana/7.7/xpack-security-authorization.html" class="ulink" target="_top">Kibana authorization</a>.
</dd>
<dt>
<span class="term">
<a id="built-in-roles-kibana-user"></a> <code class="literal">kibana_user</code>
</span>
</dt>
<dd>
(This role is deprecated, please use the
<a class="xref" href="built-in-roles.html#built-in-roles-kibana-admin"><code class="literal">kibana_admin</code></a> role instead.)
Grants access to all features in Kibana. For more information on Kibana authorization,
see <a href="https://www.elastic.co/guide/en/kibana/7.7/xpack-security-authorization.html" class="ulink" target="_top">Kibana authorization</a>.
</dd>
<dt>
<span class="term">
<a id="built-in-roles-logstash-admin"></a> <code class="literal">logstash_admin</code>
</span>
</dt>
<dd>
Grants access to the <code class="literal">.logstash*</code> indices for managing configurations.
</dd>
<dt>
<span class="term">
<a id="built-in-roles-logstash-system"></a> <code class="literal">logstash_system</code>
</span>
</dt>
<dd>
<p>
Grants access necessary for the Logstash system user to send system-level data
(such as monitoring) to Elasticsearch. For more information, see
<a href="https://www.elastic.co/guide/en/logstash/7.7/ls-security.html" class="ulink" target="_top">Configuring Security in Logstash</a>.
</p>
<div class="note admon">
<div class="icon"></div>
<div class="admon_content">
<div class="ulist itemizedlist">
<ul class="itemizedlist">
<li class="listitem">
This role should not be assigned to users as the granted permissions may
change between releases.
</li>
<li class="listitem">
This role does not provide access to the logstash indices and is not
suitable for use within a Logstash pipeline.
</li>
</ul>
</div>
</div>
</div>
</dd>
<dt>
<span class="term">
<a id="built-in-roles-ml-admin"></a> <code class="literal">machine_learning_admin</code>
</span>
</dt>
<dd>
Provides all of the privileges of the <code class="literal">machine_learning_user</code> role plus the full
use of the machine learning APIs. Grants <code class="literal">manage_ml</code> cluster privileges, read access to
<code class="literal">.ml-anomalies*</code>, <code class="literal">.ml-notifications*</code>, <code class="literal">.ml-state*</code>, <code class="literal">.ml-meta*</code> indices and
write access to <code class="literal">.ml-annotations*</code> indices. Machine learning administrators also need
index privileges for source and destination indices and roles that grant
access to Kibana.
See <a href="https://www.elastic.co/guide/en/machine-learning/7.7/setup.html#setup-privileges" class="ulink" target="_top">Machine learning security privileges</a>.
</dd>
<dt>
<span class="term">
<a id="built-in-roles-ml-user"></a> <code class="literal">machine_learning_user</code>
</span>
</dt>
<dd>
Grants the minimum privileges required to view machine learning configuration,
status, and work with results. This role grants <code class="literal">monitor_ml</code> cluster privileges,
read access to the <code class="literal">.ml-notifications</code> and <code class="literal">.ml-anomalies*</code> indices
(which store machine learning results), and write access to <code class="literal">.ml-annotations*</code> indices.
Machine learning users also need index privileges for source and destination
indices and roles that grant access to Kibana. See
<a href="https://www.elastic.co/guide/en/machine-learning/7.7/setup.html#setup-privileges" class="ulink" target="_top">Machine learning security privileges</a>.
</dd>
<dt>
<span class="term">
<a id="built-in-roles-monitoring-user"></a> <code class="literal">monitoring_user</code>
</span>
</dt>
<dd>
Grants the minimum privileges required for any user of X-Pack monitoring other than those
required to use Kibana. This role grants access to the monitoring indices and grants
privileges necessary for reading basic cluster information. This role also includes
all <a href="https://www.elastic.co/guide/en/kibana/7.7/kibana-privileges.html" class="ulink" target="_top">Kibana privileges</a> for the Elastic Stack monitoring features.
Monitoring users should also be assigned the <code class="literal">kibana_admin</code> role, or another role
with <a href="https://www.elastic.co/guide/en/kibana/7.7/xpack-security-authorization.html" class="ulink" target="_top">access to the Kibana instance</a>.
</dd>
<dt>
<span class="term">
<a id="built-in-roles-remote-monitoring-agent"></a> <code class="literal">remote_monitoring_agent</code>
</span>
</dt>
<dd>
Grants the minimum privileges required to write data into the monitoring indices
(<code class="literal">.monitoring-*</code>). This role also has the privileges necessary to create
Metricbeat indices (<code class="literal">metricbeat-*</code>) and write data into them.
</dd>
<dt>
<span class="term">
<a id="built-in-roles-remote-monitoring-collector"></a> <code class="literal">remote_monitoring_collector</code>
</span>
</dt>
<dd>
Grants the minimum privileges required to collect monitoring data for the Elastic Stack.
</dd>
<dt>
<span class="term">
<a id="built-in-roles-reporting-user"></a> <code class="literal">reporting_user</code>
</span>
</dt>
<dd>
Grants the specific privileges required for users of X-Pack reporting other than those
required to use Kibana. This role grants access to the reporting indices; each
user has access to only their own reports.
Reporting users should also be assigned additional roles that grant
<a href="https://www.elastic.co/guide/en/kibana/7.7/xpack-security-authorization.html" class="ulink" target="_top">access to Kibana</a> as well as read
access to the <a class="xref" href="defining-roles.html#roles-indices-priv" title="Indices Privileges">indices</a> that will be used to generate reports.
</dd>
<dt>
<span class="term">
<a id="built-in-roles-snapshot-user"></a> <code class="literal">snapshot_user</code>
</span>
</dt>
<dd>
Grants the necessary privileges to create snapshots of <span class="strong strong"><strong>all</strong></span> the indices and
to view their metadata. This role enables users to view the configuration of
existing snapshot repositories and snapshot details. It does not grant authority
to remove or add repositories or to restore snapshots. It also does not enable
to change index settings or to read or update index data.
</dd>
<dt>
<span class="term">
<a id="built-in-roles-superuser"></a> <code class="literal">superuser</code>
</span>
</dt>
<dd>
Grants full access to the cluster, including all indices and data. A user with
the <code class="literal">superuser</code> role can also manage users and roles and
<a class="xref" href="run-as-privilege.html" title="Submitting requests on behalf of other users">impersonate</a> any other user in the system. Due to the
permissive nature of this role, take extra care when assigning it to a user.
</dd>
<dt>
<span class="term">
<a id="built-in-roles-transform-admin"></a> <code class="literal">transform_admin</code>
</span>
</dt>
<dd>
Grants <code class="literal">manage_transform</code> cluster privileges, which enable you to manage
transforms. This role also includes all
<a href="https://www.elastic.co/guide/en/kibana/7.7/kibana-privileges.html" class="ulink" target="_top">Kibana privileges</a> for the machine learning features.
</dd>
<dt>
<span class="term">
<a id="built-in-roles-transform-user"></a> <code class="literal">transform_user</code>
</span>
</dt>
<dd>
Grants <code class="literal">monitor_transform</code> cluster privileges, which enable you to use
transforms. This role also includes all
<a href="https://www.elastic.co/guide/en/kibana/7.7/kibana-privileges.html" class="ulink" target="_top">Kibana privileges</a> for the machine learning features.
</dd>
<dt>
<span class="term">
<a id="built-in-roles-transport-client"></a> <code class="literal">transport_client</code>
</span>
</dt>
<dd>
<p>
Grants the privileges required to access the cluster through the Java Transport
Client. The Java Transport Client fetches information about the nodes in the
cluster using the <em>Node Liveness API</em> and the <em>Cluster State API</em> (when
sniffing is enabled). Assign your users this role if they use the
Transport Client.
</p>
<div class="note admon">
<div class="icon"></div>
<div class="admon_content">
<p>Using the Transport Client effectively means the users are granted access
to the cluster state. This means users can view the metadata over all indices,
index templates, mappings, node and basically everything about the cluster.
However, this role does not grant permission to view the data in all indices.</p>
</div>
</div>
</dd>
<dt>
<span class="term">
<a id="built-in-roles-watcher-admin"></a> <code class="literal">watcher_admin</code>
</span>
</dt>
<dd>
<p>Grants read access to the <code class="literal">.watches</code> index, read access to the watch history and
the triggered watches index and allows to execute all watcher actions.</p>
</dd>
<dt>
<span class="term">
<a id="built-in-roles-watcher-user"></a> <code class="literal">watcher_user</code>
</span>
</dt>
<dd>
<p>Grants read access to the <code class="literal">.watches</code> index, the get watch action and the watcher
stats.</p>
</dd>
</dl>
</div>
</div>
<div class="navfooter">
<span class="prev">
<a href="authorization.html">« User authorization</a>
</span>
<span class="next">
<a href="defining-roles.html">Defining roles »</a>
</span>
</div>
</div>

                  <!-- end body -->
                        </div>
                        <div class="col-xs-12 col-sm-4 col-md-4" id="right_col">
                        
                        </div>
                    </div>
                </div>
            </section>
        </div>
    </section>
</div>
<script src="../static/cn.js"></script>
</body>
</html>